IN THE CLAIMS 



1 . (Currently Amended) A system that allows analysis of software running in a tamper- 
resistant environment, the system comprising: 

a processor which monitors at least one instance of software execution act i v i t i es 
identified and selected bv a user to be monitored and creates a log entry with f ef at 
least one set of data derived from the one instance of software execution, wherebv the 
set of data is used to diagnosis the software execution ; 

an encryption system which encrypts the log entry for the at least one set of data 
so l octod act i v i ty ; 

a log file of a relatively-fixed size which stores the oncryptod log entry for the at 
least one set of data ontrios which have been enervated ; &r4 

random data in the log file when it is originally created and which is replaced by 
log entries so that the a size of the log file conta i n i ng including log entries appears to be 
a substantially-constant size; and 

a pointer which idontif i od identifies the a next storage location for ^ a next log 
entry so that the a last log entry can be determined and the next log entry can be 
positioned in a location in the log file after the a previous log entry. 

2. A system including the elements of Claim 1 wherein the system includes a 
transmission system for sending the log file, upon command, to a secure processing 
location away from the system in which the log file was created. 
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3. (Currently Amended) A system including the elements of Claim 1 wherein the system 
includes a system for wrapping around and filling the log file from the a beginning when 
the log file has been filled, allowing the log file to remain at a substantially-constant size 
even after the log file has been filled with data and a new entry is received. 

4. (Currently Amended) A system including the elements of Claim 1 wherein the system 
includes a mechanism for obscuring the act i v i ty for wh i ch a log entry is which has been 
created. 

5. (Currently Amended) A system including the elements of Claim 4 wherein the 
mechanism for obscuring the act i v i ty for wh i ch a log entry is which has been created 
includes a printing function for writing into the log file. 

6. (Currently Amended) A system including the elements of Claim 2 wherein the system 
includes a mechanism for receiving an indication from the abuser that transmission is 
desired and transmits the log file in response to that indication. 

7. (Currently Amended) A system including the elements of Claim 1 wherein the system 
further includes a mechanism for receiving an input from a user that initiates logging of 
log entries into the log file each time loaaing is desired bv the user . 
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8. (Currently Amended) A system including the elements of Claim 1 wherein the system 
further includes an initializing mechanism for determining wheft each instance logging is 
to begin and initiating logging of log entries only in response to that initializing 
mechanism. 

9. (Currently Amended) A system including the elements of Claim 1 wherein the system 
uses a public key to provide encrypt the log ontrioo entry which has been created and a 
private key corresponding to the public key is used to decrypt the log ontr i os entry 
which has been created at a secure location. 

1 0. (Currently Amended) A method of ana l yz i ng tho operat i on of for diagnosing 
software in a tamper-resistant environment comprising the steps of: 

generating a log file full of random data; 

turning on logging and establishing a pointer for the a location of the a next 
logged ovont software operation activity : 

monitoring the at least one oporat i on of software operation activity within the 
tamper-resistant environment and generating messages in response to oporat i on of tho 
at least one instance of software execution within the tamper-resistant environment; 

logging an ovont at least one software operation activity relating to a generated 
message by replacing a random data with an encrypted record of an ovont the software 
operation activity ; 

moving the pointer when a log entry has been made to the a next available log 

position; 
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wrapping the pointer to the top a beginning of the log file when the log file is full 
of log entries; and 

sending the log file to a secure location where i t may the log file can be 
decrypted and analyzed; and 

analyzing decrypted log file data and providing information on the operat i on of 
^ for diagnosing software in the tamper-resistant environment. 

1 1 . (Currently Amended) A method including the steps of Claim 10 wherein the step of 
turning on logging includes the steps of receiving aft a user input indicating that logging 
is desired and initiating the logging in response thereto. 

1 2. (Currently Amended) A method including the steps of Claim 1 0 wherein the step of 
l ogg i ng an ovont at least one software operation activity further includes the steps of 
determining whether the ovont software operation activity is to be logged, and if so, 
determining when to ie§ encrypt the ovont software operation activity to obscure what is 
being logged. 

13. (Currently Amended) A method including the steps of Claim 10 wherein the step of 
logging an ovon the software operation activity further includes the steps of determining 
tho noxt l ocat i on for l ogg i ng a next available log position , replacing tl=ie existing data in 
the l ocat i on next available log position with the data from the ovont software operation 
activity , and updating the pointer to provide ttie a location of tl=ie next logged ovont 
software operation activity . 
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1 4. A method including the steps of Claim 1 0 and further including the step of 
receiving a command from a user that indicates that sending the log file to a remote 
location is desired and transmitting the log file in response thereto. 

15. (Currently Amended) A sorv i co wh i ch oporatos to ana l vzo method of anaivzing the 
operation of software in a remote protected processing environment, the sorv i co 
method including: 

receiving from the remote protected processing environment an encrypted log 
file of substantially-constant size roprosont i ng comprising at least one log ontr i os entry 
with of so l octod ovonts at least one set of data derived from at least one instance of 
software execution monitored in response to a user identifying and selecting the one 
instance of software execution, whereby the set of data is used to diagnose the 
software execution wh i ch occurred at the romoto protoctod procoss i na onv i ronmont : 

determining a decrypting key for the encrypted log file and decrypting the 
encrypted log file; 

analyzing the log ontr i os entry of so l octod ovonts at the remote protected 
processing environment aod to_ dotormining determine whether the an operation of the 
remote protected processing environment corresponding to the at least one set of data 
derived from at least one instance of software execution is appropriate; and 

reporting the results of the analyzing step. 
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1 6. (Currently Amended) A service method providing the steps of Claim 1 5 and further 
including providing an instruction to initiate the a logging of messages each time loggina 
is desired bv the user and an instruction to send to the encrypted log file to tlie a 
remote l ocat i on system for analysis. 

1 7. (Currently Amended) A sorv i co method providing the steps of Claim 1 6 wherein the 
instruction to initiate logging of messages includes the step of initiating programming 
within the romoto system remote protected processing environment to replace 
information in a the encrypted log file with encrypted information relating to the 
operation of the remote protected processing environment . 

1 8. (Currently Amended) A sorv i co method providing the steps of Claim 1 7 wherein the 
step of replacing data information in the encrypted log file includes the step of replacing 
random data which was placed in the encrypted log file when it was created. 

1 9. (Currently Amended) A sorv i co method providing the steps of Claim 1 7 wherein the 
step of replacing data information in the encrypted log file includes the step of using a 
pointer to tt^e a next location in the encrypted log file and the pointer wraps to tho top a 
beginning of the log file after the encrypted log file has been filled. 

20. (Currently Amended) Software stored on a dov i co compr i s i ng A computer program 
product for analyzing software running in a tamper-resistant environment, the computer 
program product comprising instructions for : 
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a f i rst modu l o i nc l uding storod program i nstructions for recording ovonts at least 
one set of data serviced from at least one instance of software execution identified and 
selected bv a user to be monitored whereby the set of data is used to diagnosis the 
software execution: 

a second modu l o for encrypting the recording of ovonts the at least one set of 
data using a key; 

a th i rd modu l o for recording the at least one set of data, which has been 
encrypted ovonts sequentially in a storage block of a substantially fixed size; 

a fourth modulo maintaining a pointer ef the to a next available location for the 
lee recording the at least one set of data sequentially in the storage block : 

a f i fth modu l o for responding to a command and sending the an encrypted log 
file comprising the at least one set of data which has been encrypted and sequentially 
receded in the storage block to a remote location for decryption and analysis. 

21 . (Currently Amended) Software i nc l ud i ng tho o l omonts of C l a i m 20 whoro i n tho 
Doftwaro further i nc l udos The computer program product of claim 20. further comprising 
instructions for : 

a mechan i sm for initializing the storage block of a substantially fixed size with 
random information which has been encrypted to provide a block of apparent data. 
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22. (Currently Amended) Software inc l ud i ng tho o l omonts of Claim 20 where i n the 
software further i nc l udes The computer program product of claim 20. further comprising 
instructions for : a modu l o for writing the at least one set of data which has been 
encrypted arid recorded events in a sequential order in the f i xed s i ze storage block of 
the substantially fixed size and for wrapping around when tt^e an end of the f i xed - s i ze 
memory storage block of the substantially fixed size is reached. 
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